b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n      Improved Management and Stronger\n     Leadership Are Essential to Complete\n          the OneNet Implementation\n                 (Redacted)\n\n\n\n\nOIG-09-98                         September 2009\n\x0cSeptember 4, 2009\n\x0cTable of Contents/Abbreviations \n\nExecutive Summary ................................................................................................................1\n\n\nBackground .............................................................................................................................2\n\n\nResults of Audit ......................................................................................................................6\n\n   Actions Taken to Implement OneNet ...............................................................................6 \n\n   Improved Management Oversight Needed To Complete OneNet Implementation .........7 \n\n   Recommendations...........................................................................................................12 \n\n   Management Comments and OIG Analysis ...................................................................13 \n\n   Technical Changes Can Improve OneNet Security ........................................................17 \n\n   Recommendations...........................................................................................................21 \n\n   Management Comments and OIG Analysis ...................................................................21 \n\n\n\nAppendices\n     Appendix A:          Purpose, Scope, and Methodology...........................................................25 \n\n     Appendix B:          Management Comments to the Draft Report ...........................................26 \n\n     Appendix C:          Components\xe2\x80\x99 OneNet Implementation Status..........................................35 \n\n     Appendix D:          Major Contributors to this Report ............................................................36 \n\n     Appendix E:          Report Distribution ...................................................................................37 \n\n\n\nAbbreviations\n     AES                 Advanced Encryption Standard \n\n     CBP                 Customs and Border Protection \n\n     CDP                 Cisco Discovery Protocol \n\n     CIO                 Chief Information Officer \n\n     CIOC                Chief Information Officer Council \n\n     CIS                 Citizenship and Immigration Services \n\n     CONOPS              Concept of Operations \n\n     DCN                 DHS Communication Network \n\n     DHS                 Department of Homeland Security \n\n     DISA                Defense Information Systems Agency \n\n     FEMA                Federal Emergency Management Agency \n\n     FISMA               Federal Information Security Management Act \n\n     FLETC               Federal Law Enforcement Training Center \n\n     FY                  Fiscal Year           \n\n     HQ                  Headquarters            \n\n     ICCB                Interim Change Control Board \n\n     ICE                 Immigration and Customs Enforcement \n\n     IP                  Internet Protocol           \n\n     ISS                 Internet Security Systems \n\n\x0cTable of Contents/Abbreviations \n\n  IT        Information Technology\n  ITP       Information Technology Infrastructure Transformation Program\n  MD5       Message-Digest Algorithm 5\n  MOA       Memorandum of Agreement\n  MPLS      Multiple Protocol Label Switching\n  NIST      National Institute of Standards and Technology\n  NOC/SOC   Network Operation Center/Security Operation Center\n  OCIO      Office of Chief Information Officer\n  OMB       Office of Management and Budget\n  PMP       Project Management Plan\n  PMR       Program Management Review\n  SIOC      Senior Infrastructure Officer Council\n  TACACS    Terminal Access Controller Access-Control System\n  TIC       Trusted Internet Connection\n  TSA       Transportation Security Administration\n  USCG      United States Coast Guard\n  USSS      United States Secret Service\n  WAN       Wide Area Network\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                       The Homeland Security Act of 2002 requires the Department of\n                       Homeland Security (DHS) to establish a secure information\n                       technology (IT) structure that enhances the communication,\n                       security, and sharing of data between components. In 2005, DHS\n                       began the process to consolidate its components\xe2\x80\x99 existing\n                       infrastructures into a wide area network (WAN), known as\n                       OneNet. The goal of the OneNet initiative is to help DHS\n                       consolidate its existing IT infrastructure into a more efficient and\n                       standardized architecture and to help the department improve\n                       overall cost effectiveness across the enterprise.\n\n                       DHS is behind schedule in implementing OneNet, and is facing\n                       numerous challenges in achieving its network consolidation\n                       objectives. Three years have lapsed since the initial scheduled\n                       completion date of OneNet. Many OneNet implementation\n                       activities are not complete, progress to date has been limited, and\n                       cost savings have not been realized. These problems are occurring\n                       because DHS has not provided effective oversight or leadership to\n                       guide components\xe2\x80\x99 transition into OneNet and to ensure the\n                       completion of critical tasks for the consolidation.\n\n                       Concerning security requirements, DHS has implemented adequate\n                       security controls over OneNet. We did not identify any critical\n                       vulnerabilities that could be exploited to gain unauthorized access\n                       to the network. In addition, DHS is performing adequate network\n                       and security monitoring. We determined that program officials\n                       had ensured OneNet was certified and accredited in accordance\n                       with applicable DHS information security policy. However, DHS\n                       has not configured                     according to DHS security\n                       guidelines and                                         to provide\n                                                                                    at its\n                       backup facility.\n\n                       We are making nine recommendations to the Under Secretary for\n                       Management and Chief Information Officer. DHS concurred with\n                       five recommendations and has already begun to take actions to\n                       implement them. The resolved recommendations will remain\n\n\n  Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                            Page 1\n\x0c                      open until DHS provides documentation to support that the\n                      implementation of all planned corrective actions is complete. The\n                      remaining unresolved recommendations will require additional\n                      discussion between our offices before disposition. DHS\xe2\x80\x99 response\n                      is summarized and evaluated in the body of this report and\n                      included, in its entirety, as Appendix B.\n\n\nBackground\n                      On November 25, 2002, Congress enacted the Homeland Security\n                      Act of 2002, establishing DHS, including its mission, functions,\n                      and component organizations. As part of the Act, DHS was\n                      required to establish a secure IT infrastructure that enhances the\n                      communication, security, and sharing of data between DHS\n                      components.\n\n                      In 2005, the Chief Information Officer (CIO) Council developed\n                      an operational model (see Figure 1) which assigned centralized\n                      governance and oversight responsibilities to the DHS CIO, and the\n                      decentralized execution of roles to the components that have been\n                      designated as \xe2\x80\x9cstewards.\xe2\x80\x9d For example:\n                          \xe2\x80\xa2\t Customs and Border Protection (CBP) is responsible for\n                             network services and data center services.\n                          \xe2\x80\xa2\t United States Coast Guard (USCG) is responsible for\n                             E-mail and help desk services.\n                          \xe2\x80\xa2\t Federal Emergency Management Agency (FEMA) is\n                             responsible for video services and serves as a backup for\n                             email and Network Operation Center/Security Operation\n                             Center (NOC/SOC) activities.\n\n                      Figure 1-CIO Council Stewardship Operational Model\n\n\n\n\n Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                           Page 2\n\x0c                           On July 31, 2005, the Deputy Secretary approved the Information\n                           Technology Infrastructure Transformation Program (ITP) Charter,\n                           which established the roles and responsibilities for the CIO,\n                           stewards, and DHS components. The focus of the ITP was to\n                           provide a single IT infrastructure that is capable of supporting the\n                           department\xe2\x80\x99s mission and providing unified IT services to all DHS\n                           components.1 The ITP consists of five primary domains: data\n                           center, E-mail, help desk, network, and video services.\n                           Subsequently, a program office was established within the\n                           Enterprise Services Division of the Office of the Chief Information\n                           Officer (OCIO). Its task was to begin consolidating and\n                           modernizing the DHS IT infrastructure. In the department\xe2\x80\x99s\n                           October 21, 2005, response to our prior audit report, the CIO\n                           estimated that DHS would complete the consolidation of existing\n                           infrastructures into OneNet in FY 2006.2\n\n                           In addition to the ITP Charter, the program office developed the\n                           following documents to assist DHS in managing the OneNet\n                           project:\n                                \xe2\x80\xa2\t The Project Management Plan (PMP) which contains the\n                                   scope, tasks, schedule, allocated resources, and\n                                   interrelationships with other projects. According to the\n                                   PMP, the OneNet implementation is divided into four\n                                   phases. The PMP is required to be updated at the end of\n                                   each phase or when new information becomes available.\n                                \xe2\x80\xa2\t The Program Management Review (PMR) which provides\n                                   the Enterprise Services Division with a monthly snapshot\n                                   of its projects, such as the ITP for OneNet.\n                                \xe2\x80\xa2\t The DHS Security Operations Concept of Operations\n                                   (CONOPS) which contains the operating procedures of the\n                                   DHS SOC and the incident response procedures at\n                                   component SOCs.\n                           As the network steward, CBP is responsible for developing and\n                           coordinating with other components to consolidate their existing\n                           infrastructures into OneNet. In addition, CBP is also responsible\n                           for the overall management of the DHS NOC/SOC function.\n                           OneNet will ultimately integrate with component WANs and will\n                           provide a global communications environment that offers\n                           improved security and interoperability throughout the department.\n                           DHS envisions that OneNet will provide the components with\n                           secure data, voice, video, tactical radio, and satellite\n1\n    OneNet PMP, version 1.3, dated January 16, 2009. \n\n2\n    OIG-06-05, Improved Security Required for DHS Networks (November 2005). \n\n      Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                                Page 3\n\x0c                     communications between internal and external DHS resources.\n                     OneNet will employ\n                     technology to provide DHS components with enhanced\n                     redundancy, survivability, and reliability.3 Figure 2 provides a\n                     high-level view of OneNet\xe2\x80\x99s architecture and design.\n\n                     Figure 2: OneNet Architecture and Design Overview\n\n                                        Site 1 \xe2\x80\x93 Users                               Site 4 \xe2\x80\x93 Users\n                                   Ex. DHS (Headquarters)                       Ex. Secret Service (Field\n                                                                                         office)\n\n\n\n\n                                                            DHS OneNet\n                             Site 2 \xe2\x80\x93 Users                                                     Site 5 \xe2\x80\x93 Users\n                        Ex. USCG (Harbor Patrol)            - Multitext\n                                                                     Carrier               Ex. CBP (Border Patrol)\n                                                            -\n                                                            - Managed Service\n\n\n\n                                                                                  Site 6 \xe2\x80\x93 Users\n                                        Site 3 \xe2\x80\x93 Users                           Ex. FEMA (Mobile\n                                       Ex. TSA (Airport)                         Command Center)\n\n\n\n\n                     Before a component can migrate to OneNet, several key activities\n                     must be completed. Components must:\n                          \xe2\x80\xa2\t Convert their sites to\n                          \xe2\x80\xa2\t Provide CBP with\n\n                          \xe2\x80\xa2\t Comply with the OneNet internet protocol (IP) address\n                             schemes to avoid conflicts.\n                          \xe2\x80\xa2\t Establish and sign a memorandum of agreement (MOA) to\n                             define the roles and responsibilities between CBP and the\n                             component.\n                     Ultimately, OneNet will help reduce the number of fragmented\n                     component networks, providing DHS with a secure in-house\n                     solution that enables centralized management and configuration\n                     capabilities. By consolidating its existing network infrastructures\n                     and data centers, DHS had estimated that it would provide a total\n\n\n\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                               Page 4\n\x0c                     saving of $871 million. Further, DHS estimated that it would cost\n                     a total of $502 million to complete the OneNet implementation.\n                     By the end of FY 2009, DHS will have spent $149 million on\n                     OneNet implementation.\n\n                     On November 20, 2007, the Office of Management and Budget\n                     (OMB) issued Memorandum 08-05 (M-08-05) announcing the\n                     Trusted Internet Connection (TIC) initiative. The purpose of the\n                     TIC initiative is to reduce the number of government external\n                     connections, including internet points of presence.\n\n                     DHS is in the process of implementing OMB\xe2\x80\x99s TIC initiative as\n                     part of the department\xe2\x80\x99s OneNet project. As of April 1, 2009, one\n                     TIC was operational at\n                     DHS expects                  will become operational\n                                        by the third quarter of FY 2009. Currently, as\n                     part of OneNet, DHS\xe2\x80\x99 TIC provides four services to components:\n\n                                          DHS estimated the completion of its TIC\n                     initiative by October 30, 2009. Figure 3 depicts OneNet topology\n                     with component gateways.\n\n                     Figure-3 OneNet Diagram with Components Gateways\n\n\n\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                          Page 5\n\x0cResults of Audit\n\n    Actions Taken to Implement OneNet\n                          CBP, as the network steward, has taken various steps to\n                          consolidate existing infrastructures into OneNet. The steps are\n                          designed to provide a single IT infrastructure that is capable of\n                          supporting the department\xe2\x80\x99s mission and providing unified IT\n                          services to all DHS components. For example, CBP has:\n\n                               \xe2\x80\xa2\t Certified and accredited the                     TIC in\n                                                              4\n                                  2007 and OneNet in 2008. Our review of the certification\n                                  and accreditation packages revealed no significant\n                                  deficiencies. As such, both OneNet and the TIC were\n                                  certified and accredited in accordance with applicable DHS\n                                  and OMB information security policy.\n                               \xe2\x80\xa2\t Established a change control process to ensure that\n                                  configuration changes are reviewed, authorized, and tested\n                                  prior to being implemented on the routers and firewalls on\n                                  OneNet.\n                               \xe2\x80\xa2\t Established a department-wide NOC/SOC incident\n                                  response and reporting capability to resolve computer and\n                                  network irregularities that may affect DHS' ability to\n                                  conduct its mission, on a 24 hour, 7 day a week basis.5\n                               \xe2\x80\xa2\t Implemented effective controls to protect the sensitive data\n                                  stored and processed by the network. We did not identify\n                                  any critical vulnerabilities from our internal vulnerability\n                                  assessments or external penetration testing that could be\n                                  exploited to gain access to the network.\n                          Despite these efforts, DHS faces challenges in completing its\n                          OneNet implementation. For example, DHS is experiencing\n                          delays in meeting its scheduled completion date to consolidate\n                          existing infrastructures into OneNet. In addition, components are\n                          reluctant to participate and are not subscribing to the\n                          implementation of OneNet and the TIC. More work remains to\n                          ensure that components\xe2\x80\x99 existing infrastructures are consolidated\n4\n  For certification and accreditation purposes, DHS divided the network into two systems: OneNet, and\nTIC.\n5\n  The DHS NOC is responsible for ensuring the reliable operation of OneNet and manages the\nconfiguration, operation, monitoring, and maintenance of the entire network infrastructure, supported by a\nnetwork management system and a suite of network devices. The DHS SOC is responsible for monitoring\nthe security of OneNet and manages the configuration, operation, monitoring, and maintenance of security\ndevices deployed around the enterprise.\n    Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                                Page 6\n\x0c                           into OneNet and provide the department with a more efficient\n                           WAN and help DHS improve overall cost effectiveness across the\n                           enterprise.\n\n\n      Improved Management Oversight Needed To Complete\n      OneNet Implementation\n                           DHS has not provided effective oversight to ensure the timely\n                           implementation of OneNet. In addition, the department has not\n                           provided adequate leadership to guide components in their\n                           transition to OneNet and the DHS TIC. Without the required\n                           management oversight and leadership, CBP, as the OneNet\n                           steward, may not be able to fully consolidate components\xe2\x80\x99 existing\n                           infrastructures into OneNet. As a result, DHS may not be able to\n                           reach its ultimate goal of consolidating and modernizing its\n                           existing infrastructure and achieve projected cost savings.\n\n                           OneNet Implementation Is Behind Schedule\n\n                           As of April 2009, almost three years have lapsed since the original\n                           FY 2006 completion date. Many OneNet implementation\n                           activities are not complete and progress has been limited. The\n                           delays in implementing OneNet have stalled the department\xe2\x80\x99s\n                           effort. For example, in the department\xe2\x80\x99s FY 2007 budget, DHS\n                           had anticipated the following:6\n\n                               \xe2\x80\xa2\t Achieving significant cost savings by shutting down\n                                  redundant networks at components after the consolidation.\n                               \xe2\x80\xa2\t Eliminating six component NOCs/SOCs after establishing\n                                  the primary NOC/SOC to manage and monitor OneNet.\n                           While the department has established the NOC/SOC to manage\n                           and monitor OneNet, ITP program officials do not anticipate that\n                           DHS will eliminate any component NOCs/SOCs. Additionally,\n                           ITP program officials and CBP personnel do not foresee that any\n                           component networks will be shut down.\n\n                           In addition, DHS has not established interim milestones for the\n                           critical tasks, such as establishing the MOAs between the\n                           components and CBP and converting components\xe2\x80\x99 sites to\n                           Furthermore, the PMP, which is necessary to manage the project,\n\n6\n    Department of Homeland Security Budget-in-Brief Fiscal Year 2007.\n\n     Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                               Page 7\n\x0c                          does not contain the most accurate information or reflect the\n                          current status of the network implementation.\n\n                          According to an ITP program official, DHS expected components\n                          to complete their migration to OneNet by April 2010. The\n                          program official added that this new target date had been\n                          communicated orally to the components in conferences and\n                          meetings, but had not been established formally.\n\n                                  Status of Components\xe2\x80\x99 Activities\n\n                                  As of April 2009, six components have yet to establish\n                                  MOAs with CBP.7 Only DHS Headquarters and FEMA\n                                  have MOAs with CBP. The remaining components\xe2\x80\x99\n                                  MOAs are in different stages of completion and review. In\n                                  addition, FEMA and United States Secret Service (USSS)\n                                  have yet to convert all of their sites to     Only five\n                                  components (CBP, DHS Headquarters [HQ], Federal Law\n                                  Enforcement Training Center [FLETC], Immigration and\n                                  Customs Enforcement [ICE], and Transportation Security\n                                  Administration [TSA]) have completed the conversion of\n                                  their IP address schemes to OneNet to avoid conflicts. See\n                                  Appendix C for a summary of components\xe2\x80\x99 OneNet\n                                  implementation status.\n\n                                  Outdated Documentation\n\n                                  Documentation used by CBP in managing OneNet does not\n                                  contain the most updated project information. The latest\n                                  version of the PMP, dated January 16, 2009, had not been\n                                  updated since June 21, 2006, or for more than two years.\n                                  The PMP does not contain any detailed OneNet\n                                  implementation activities beyond FY 2009 or include the\n                                  estimated resources needed to complete the project. For\n                                  example:\n                                       \xe2\x80\xa2\t   Phase I-DHS Communication Network (DCN)\n                                            Transformation. During this phase, the key task is\n                                            to convert the DCN legacy network backbone to\n                                            next-generation        service. According to the\n                                            PMP, this transformation was completed in May\n                                            2005.\n\n\n7\n The roles and responsibilities between CBP and components, as well as agreed upon services, are\ndocumented in MOAs.\n    Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                               Page 8\n\x0c                                  \xe2\x80\xa2\t   Phase II-OneNet Capability and Stewardship. In\n                                       the PMP, key activities and milestones for this\n                                       phase include: complete functional requirements\n                                       analysis; develop end-state design; establish the\n                                       Primary NOC and SOC capability; convert ICE to\n                                              service; and begin assuming responsibility\n                                       for component edge routers. According to the PMP,\n                                       this phase was completed in September 2006.\n                                       However, OneNet\xe2\x80\x99s end-state design has not been\n                                       completed because the security requirements and\n                                       network functionality continue to evolve.\n                                  \xe2\x80\xa2\t   Phase III-Interim Operating Capability (Component\n                                       WAN Transition). According to the PMP, CBP,\n                                       Citizenship and Immigration Services (CIS), ICE,\n                                       DHS HQ, and TSA completed their transition to\n                                       OneNet by 2007. In addition, the OneNet steward\n                                       was to assume the operational control of\n                                       components\xe2\x80\x99 core routers and the internal DCN\n                                       facing firewalls.\n                                  \xe2\x80\xa2\t   Phase IV-Full Operating Capability. It is noted in\n                                       the ITP Charter, PMP, and CONOPS that FEMA is\n                                       required to establish the alternate NOC/SOC\n                                       capability. According to the PMP, this phase was to\n                                       be completed by FY 2008. In addition, the PMP\n                                       and CONOPS have not been updated to reflect that\n                                       FEMA is no longer required to establish the\n                                       alternate NOC/SOC for OneNet and that CBP has\n                                       already established a backup NOC/SOC facility.\n                     As part of the capital planning process, OMB requires agencies to\n                     institute performance measures and provide management oversight\n                     to monitor an IT project\xe2\x80\x99s actual performance compared to\n                     expected results. Agencies are required to prepare and update an\n                     implementation plan or PMP for IT investments. The plan should\n                     define the scope of work, identify the roles and responsibilities of\n                     key personnel, and include milestones for critical tasks. Finally,\n                     agencies are required to review and update the plan periodically to\n                     determine whether an IT investment is meeting established\n                     milestones, continues to deliver intended benefits, and is\n                     completed within budget.\n\n                     Without a consolidated WAN for the department, DHS will\n                     continue to operate expensive, geographically dispersed networks\n                     and inefficiencies and service reliability issues will remain\n                     unresolved. As a result, DHS will face additional delays in\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                          Page 9\n\x0c                     achieving its projected cost savings of $841 million by\n                     consolidating its network infrastructures and data centers.\n\n                     Department Leadership Needs Strengthening For\n                     Components\xe2\x80\x99 OneNet and TIC Migration\n\n                     DHS has not provided effective leadership to ensure that\n                     components align their priorities with the department\xe2\x80\x99s OneNet\n                     and TIC initiatives. Components have made limited progress or\n                     shown little interest in consolidating their existing infrastructures\n                     into OneNet. Furthermore, components who are reluctant to\n                     migrate to OneNet have insisted on maintaining their own internet\n                     gateways, and are hesitant to use DHS TIC services. As a result,\n                     DHS may incur additional expenses to maintain dispersed\n                     networks and compromise network security.\n\n                     As of April 2009, DHS was already behind in its TIC\n                     implementation schedule and will not meet its October 30, 2009,\n                     milestone. CIS, CBP, ICE, and TSA are not expected to complete\n                     their TIC migration until December 31, 2009. Furthermore,\n                     FEMA is not expected to complete its migration to the DHS TIC\n                     until June 2010.\n\n                     None of the components were using all four services that the DHS\n                     TIC provides. Three components (FEMA, TSA, and USCG) do\n                     not use any of the four services. The majority of the other\n                     components are either using one or two services. Only DHS HQ\n                     uses three services. See Figure 4 for a list of components TIC\n                     services.\n\n                     Figure 4-List of DHS TIC Services and Components\xe2\x80\x99 Usage\n\n                                                DHS TIC Services\n   Components\n\n       CBP                                           X\n       CIS                    X                      X\n     DHS HQ                   X                      X                   X\n      FEMA\n     FLETC                    X\n       ICE                    X                      X\n       TSA\n      USCG\n      USSS                    X\n\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 10\n\x0c                     USCG and USSS indicated that they will not complete their\n                     migration to the DHS TIC or consolidate their existing\n                     infrastructures onto OneNet. USSS decided that it would only use\n                                        service that the DHS TIC provides. In addition,\n                     USSS personnel indicated that the component was planning to\n                     submit a waiver to the DHS CIO requesting to be exempted from\n                     joining OneNet. Due to USCG\xe2\x80\x99s unique military background and\n                     requirements, after a February 2009 meeting between DHS and\n                     Defense Information Systems Agency (DISA) senior officials, both\n                     agencies agreed to allow USCG to be under the primary\n                     governance of DISA and transition to DISA\xe2\x80\x99s TIC.\n\n                     With the exception of USCG, DHS has not authorized any\n                     component to maintain its own internet gateways. However, citing\n                     the specific needs to meet their mission and business requirements\n                     and security concerns, several components plan to maintain their\n                     own internet gateways or connection to the internet after their\n                     migration to the DHS TIC. Figure 5 is a list of existing component\n                     gateways.\n\n                     Figure 5-List of Existing Component Gateways\n\n               Components                    Number of                       Location\n                                          Remaining Internet\n                                             Gateways\n       CIS                                        1\n       FEMA                                       5\n\n\n\n       FLETC                                         2\n\n       ICE                                           1\n       TSA                                           1\n       USCG                                          4\n\n\n\n       USSS                                          1\n\n                     ITP program officials and CBP personnel attribute part of the\n                     delays in components\xe2\x80\x99 OneNet consolidation and migration to the\n                     DHS TIC to the ever changing network design and increased\n                     security requirements for new DHS and OMB initiatives. In\n                     addition, due to the lack of consistency in granting security\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 11\n\x0c                     clearances and standardized suitability tests at the components,\n                     some components had concerns in relinquishing control of their\n                     network services to OneNet administrators. For example, USSS\n                     requires individuals serving as system administrators to pass a\n                     polygraph examination before being granted access to its network.\n                     However, CBP does not have the same polygraph requirement for\n                     OneNet administrators.\n\n                     OMB\xe2\x80\x99s TIC initiative requires agencies to reduce the number of\n                     gateways to improve efficiency and security. By allowing\n                     components to maintain their own internet gateways, DHS may\n                     incur extra expenses for maintaining additional internet\n                     connections. When the TIC initiative was announced, OMB\n                     indicated that the reduction of access points to trusted internet\n                     connections would improve the situational awareness for federal\n                     agencies and allow the government to address potential threats in\n                     an expedited and efficient manner. It is also OMB\xe2\x80\x99s goal to\n                     minimize overall operating costs for services through economies of\n                     scale.\n\n                     Due to staffing shortages, OCIO has not been able to perform its\n                     program management oversight functions to ensure that OneNet\n                     implementation is on schedule and key project documents are\n                     current. OCIO staffing shortages are indicators that DHS has not\n                     provided efficient oversight to manage OneNet implementation.\n\n                     Increased risks exist that the OneNet implementation may be\n                     further delayed, preventing DHS from obtaining a consolidated IT\n                     infrastructure that is capable of supporting the department\xe2\x80\x99s\n                     mission and providing unified IT services to all components.\n                     Establishing interim milestones and maintaining current project\n                     documentation will provide DHS with the ability to better plan for\n                     the OneNet implementation and monitor components\xe2\x80\x99 progress.\n\n\n             Recommendations\n             We recommend that the Under Secretary for Management direct the CIO\n             to:\n\n             Recommendation #1: Strengthen the department\xe2\x80\x99s oversight of OneNet\n             implementation. Specifically, an agreed upon completion date and interim\n             milestones for critical tasks to meet that date should be established to\n             evaluate progress and determine whether critical tasks are completed\n             timely. Components should be notified of implementation milestones.\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 12\n\x0c             Recommendation #2: Update the OneNet PMP and other documents\n             periodically to reflect the current status of the implementation.\n\n             Recommendation #3: Evaluate and revise the department\xe2\x80\x99s current\n             implementation strategy to ensure that components align their priorities\n             with and participate in the department\xe2\x80\x99s OneNet and TIC initiatives.\n\n             Recommendation #4: Establish component implementation schedules to\n             ensure their timely migration to OneNet and DHS TIC.\n\n             Recommendation #5: Establish a process to evaluate and address\n             components\xe2\x80\x99 existing requirements regarding personnel security for the\n             network administrators.\n\n\n             Management Comments and OIG Analysis\n                     DHS response to recommendation 1\n\n                     DHS did not concur with recommendation 1. Management\n                     responded that, in addition to a strong leadership team that\n                     maintains day-to-day oversight, the department has a multi-faceted\n                     structure in place to oversee and govern the OneNet program. The\n                     Interim Change Control Board (ICCB) assures that all changes are\n                     planned, engineered, tested, coordinated and approved prior to\n                     their release into the OneNet production environment; the Chief\n                     Information Security Officer monitors performance of the SOC to\n                     ensure it is compliant with DHS\xe2\x80\x99 security policies; the Senior\n                     Infrastructure Officer Council (SIOC) regularly reviews all current\n                     projects, schedule, cost and performance; and the Chief\n                     Information Officer Council (CIOC), develops overarching\n                     guidance and directs the effort. At the OCIO level, the DHS\n                     CIO/Deputy CIO and the CBP CIO/Deputy CIO have frequent\n                     discussions regarding the status of the OneNet implementation.\n\n                     Furthermore, the department has several program level reporting\n                     mechanisms in place to review the cost, schedule and performance\n                     status, and bi-weekly updates to the SIOC regarding OneNet\n                     implementation status that is reported in a \xe2\x80\x9cstoplight chart.\xe2\x80\x9d\n                     Additionally, program milestones, schedule, risks and mitigation\n                     strategies are reported to the CIO at the monthly program\n                     management reviews. To further augment these program\n                     management techniques, DHS will work with components to\n                     update and establish project plans and schedules with key\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 13\n\x0c                     milestones and specific, accurate dates pertaining to the OneNet\n                     and TIC migrations. The department will continue to monitor\n                     progress through the SIOC/CIOC and work with each component\n                     to ensure all schedules, critical tasks and milestones are being\n                     completed in a timely manner.\n\n                     OIG analysis\n\n                     We consider this recommendation unresolved and will require\n                     additional discussion between our offices before disposition. We\n                     maintain that DHS must strengthen its component oversight to\n                     ensure timely completion of the OneNet consolidation. Three\n                     years have lapsed since the original FY 2006 completion date.\n                     Many implementation activities are not complete and components\n                     have made limited progress or shown little interest in consolidating\n                     their existing infrastructures into OneNet. For example, none of\n                     the components are using all four services that the DHS TIC\n                     provides. The majority of components are currently using one or\n                     two services and several components plan to maintain their own\n                     internet connection after their migration to the DHS TIC.\n\n                     As we noted in our report, an adequate change control process has\n                     been established to ensure that configuration changes are reviewed,\n                     authorized, and tested prior to being implemented on OneNet.\n                     However, the ICCB only has oversight on reviewing and\n                     approving proposed technical changes and does not monitor\n                     components\xe2\x80\x99 progress on migrating to OneNet. Furthermore,\n                     while we noted that DHS monitors the implementation through the\n                     use of a \xe2\x80\x9cstoplight chart\xe2\x80\x9d and SIOC/CIOC meetings, we maintain\n                     that the department\xe2\x80\x99s OneNet oversight must be strengthened. For\n                     example, management responded that the CIOC develops\n                     overarching guidance and directs the implementation effort. With\n                     the exception of the Deputy Secretary memorandum, ITP program\n                     officials were unable to provide additional documentation to\n                     support that DHS had issued any guidance to components\n                     regarding OneNet consolidation. While the security requirements\n                     and OneNet functionality continue to evolve, the PMP has not\n                     been updated to reflect any detailed implementation activities\n                     beyond FY 2009. In addition, the PMP does not include the\n                     estimated resources needed to complete the project. DHS cannot\n                     effectively measure the OneNet implementation status without an\n                     updated PMP or establishing a completion date for the\n                     consolidation and interim milestones for critical tasks such as\n                     establishing the required MOAs with CBP, migrating components\xe2\x80\x99\n                     existing infrastructures into OneNet, or utilizing the services that\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 14\n\x0c                     OneNet provides. Without strengthening components\xe2\x80\x99 oversight,\n                     OneNet implementation may be further delayed, preventing DHS\n                     from obtaining a consolidated IT infrastructure.\n\n                     DHS response to recommendation 2\n\n                     DHS concurred with recommendation 2. DHS will update the\n                     OneNet PMP, to include key milestones and dates pertaining to the\n                     OneNet transition in Fiscal Year (FY) 2010.\n\n                     OIG analysis\n\n                     We agree that the steps that DHS is taking, and plans to take, begin\n                     to satisfy this recommendation. We consider this recommendation\n                     resolved and will remain open until DHS provides documentation\n                     to support that all planned corrective actions are completed.\n\n                     DHS response to recommendation 3\n\n                     DHS did not concur with recommendation 3. DHS noted that the\n                     department will review the OneNet and TIC implementation\n                     strategy and update as necessary with input from components. If\n                     updates or revisions of component priorities are necessary, DHS\n                     will work in concert with the SIOC/CIOC to ensure priorities are\n                     revised accordingly. While component participation must be\n                     strengthened in the future, DHS has taken a number of steps to\n                     provide effective leadership for the OneNet transition. In 2006, the\n                     Deputy Secretary issued a memorandum which not only provided\n                     clear direction to support and prioritize ITP efforts, but also\n                     directed components to plan migrations and apply both investment\n                     and Operation and Management dollars toward achieving the ITP\n                     end state in several key areas, including networks. OCIO has\n                     recommended to the Secretary\xe2\x80\x99s Efficiency Review Team that a\n                     Management Action Directive also be issued to reinforce the 2006\n                     Deputy Secretary policy memorandum.\n\n                     OIG analysis\n\n                     While DHS noted in its response that the department did not\n                     concur with the recommendation, we conclude that the proposed\n                     corrected actions satisfy and meet the intent of this\n                     recommendation. For example, the department agreed that\n                     component participation must be strengthened in the future. DHS\xe2\x80\x99\n                     proposed actions include a review of the OneNet and TIC\n                     implementation strategy. We consider this recommendation\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 15\n\x0c                     resolved and will remain open until DHS provides documentation\n                     to support that all planned corrective actions are completed.\n\n                     DHS response to recommendation 4\n\n                     DHS concurred with recommendation 4. DHS will work with\n                     components to update and establish Project Plans and schedules\n                     with key milestones and specific, accurate dates pertaining to\n                     OneNet and TIC migrations. The department will continue to\n                     monitor progress through the SIOC/CIOC and work with each\n                     component to ensure all schedules, critical tasks and milestones are\n                     completed in a timely manner.\n\n                     OIG analysis\n\n                     We agree that the steps that DHS is taking, and plans to take, begin\n                     to satisfy this recommendation. We consider this recommendation\n                     resolved and will remain open until DHS provides documentation\n                     to support that all planned corrective actions are completed.\n\n                     DHS response to recommendation 5\n\n                     DHS concurred with recommendation 5. The issue is being\n                     addressed by the DHS Deputy Secretary, who is leading the effort\n                     to establish suitability reciprocity within DHS, and will also be\n                     addressed by the overall Federal reform effort concerning\n                     suitability reciprocity throughout the executive branch. Suitability\n                     reciprocity is not mandated in the Federal government since no\n                     implementation order has been published. However, the DHS\n                     Office of the Chief Security Officer has taken a proactive approach\n                     along with the OCIO, and has begun negotiations with the\n                     components to come to an agreement on minimum\n                     investigative/adjudicative standards which will be acceptable to all\n                     components at DHS, and allow for reciprocity.\n\n                     OIG analysis\n\n                     We agree that the steps that DHS is taking, and plans to take, begin\n                     to satisfy this recommendation. We consider this recommendation\n                     resolved and will remain open until DHS provides documentation\n                     to support that all planned corrective actions are completed.\n\n\n\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 16\n\x0c    Technical Changes Can Improve OneNet Security\n                         Overall, DHS has implemented effective security controls over\n                         OneNet. To assess the security posture, we interviewed selected\n                         IT personnel at OneNet\xe2\x80\x99s primary and backup NOC/SOC. In\n                         addition, we performed internal vulnerability assessments using\n\n                                                 Further, we reviewed configuration\n                         settings on                       for compliance with applicable\n                         DHS policy and National Institute of Standards and Technology\n                         (NIST) guidance. Finally, we performed external penetration\n                         testing using              to validate the results of our internal\n                                                   8\n                         vulnerability assessments.\n\n                         Security Testing Validated the Effectiveness of Controls\n                         Implemented\n\n                         As of January 2009, DHS had deployed more than 3,000 network\n                         devices on OneNet to include firewalls, routers, and switches. In\n                         assessing the effectiveness of system controls, we performed\n                         vulnerability assessments on 41 internal network devices, i.e.,\n                                                           These devices were selected based\n                         on\n\n\n                                            No critical vulnerabilities were identified that\n                         could be exploited to gain unauthorized access to OneNet. We\n                         also reviewed configuration settings\n                                                                      penetration testing.\n\n                         To validate our internal vulnerability assessment results, we\n                         performed an external penetration test. The purpose of our\n                         external penetration test was to attempt to gain access to OneNet\n                         externally and to validate our vulnerability assessment results.\n                         First, we\n                                            We then targeted\n\n                                                                             We performed\n\n\n\n8\n\n\n\n\n    Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                             Page 17\n\x0c                                                                    Utilizing information\n                     obtained from the discovery scans, the next step of the penetration\n                     test was to exploit any potential vulnerabilities to gain access to the\n                     network.\n\n                     The results of our external penetration testing revealed that DHS\n                     has implemented effective controls to restrict access to OneNet\n                     through its external gateway,\n\n\n\n                                                                                    DHS\n                     has implemented this as a protective measure to restrict access to\n                     sensitive information about the network from an outside source.\n                     The results from our configuration review and internal\n                     vulnerability assessments are consistent with this finding.\n\n\n\n                                                              Based on our\n                     configuration review and the results of our discovery scans, the\n                     responding IP addresses are designed to communicate with other\n                     authorized routers outside the network and to facilitate traffic\n                     through the network.\n\n                     The results of our penetration testing revealed that DHS has\n                     implemented effective controls to prevent unauthorized access to\n                     the network. The penetration test results support the output and\n                     analysis of the internal vulnerability testing and assessments of the\n                     security controls conducted during our audit. However, these test\n                     results are limited to\n                                    They cannot be used to support any conclusions\n                     about the security controls of OneNet through component\n                     gateways.\n\n                     DHS Security Baseline Configuration Settings\n\n                     While CBP has implemented effective controls on OneNet,\n                           were not configured based on DHS security guidelines.\n                     When        are not properly configured,\n\n\n\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 18\n\x0c                                                                                              We\n                     identified the following:\n\n\n\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 19\n\x0c                     DHS has developed configuration guidelines, which are a set of\n                     procedures to ensure minimum baseline security\n                                                                       . Components\n                     are required to ensure that DHS baseline configuration settings are\n                     implemented.\n\n                     NOC/SOC Disaster Recovery Capability Can Be Improved\n\n                     DHS has not ensured that its backup facility, located in\n\n                                                      at its primary NOC/SOC location.\n\n\n\n\n                     The NOC/SOC backup facility, which became operational in\n                     January 2009, provides around the clock continuous incident\n                     analysis and monitoring of OneNet traffic.\n\n\n\n\n                                                                         The main\n                     function of the backup NOC/SOC is to analyze and monitor\n                     OneNet traffic. In the event of an emergency, the backup\n                     NOC/SOC is required to replicate the primary facility and provide\n                     consistent, compatible incident response and monitoring functions.\n\n                     According to CBP personnel, the backup site was selected as a\n                     secondary NOC/SOC because the facility had an existing\n                     infrastructure that met DHS\xe2\x80\x99 requirements. In the event of an\n                     extended service disruption at the primary NOC/SOC, CBP\n                     personnel stated that\n\n\n\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 20\n\x0c                                                                CBP personnel added that the\n                     department plans\n\n\n                                         However, no timeline has been established.\n\n                     FISMA requires that each agency develop, document, and\n                     implement an agency wide information security program approved\n                     by the Director of OMB that includes, among other things, plans\n                     and procedures to ensure the continuity of operations for\n                     information systems that support the operations and assets of the\n                     agency. DHS and OMB require that contingency planning be\n                     developed to maintain or restore business operations, including\n                     computer operations, possibly at an alternate location, in the event\n                     of emergencies, system failures, or disaster.\n\n                     A backup facility can provide the capabilities to replicate and\n                     restore critical applications and functions in order to resume\n                     operations in the event of a disaster. Losing computing capability\n                     and the ability to monitor, respond to, and investigate OneNet\n                     security incidents can significantly affect DHS\xe2\x80\x99 ability to\n                     accomplish its mission.\n\n\n\n\n             Recommendations\n             We recommend that the Under Secretary for Management direct the CIO\n             to:\n\n             Recommendation #6: Implement a technical solution for OneNet to\n             provide\n\n\n             Recommendation #7: Strengthen                     controls to restrict access and\n             prevent unauthorized\n\n             Recommendation #8: Disable                                               to prevent\n             unauthorized access.\n\n             Recommendation #9: Establish an alternate site to supplement the\n             backup NOC/SOC capability until the facility can be\n\n\n\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 21\n\x0c             Management Comments and OIG Analysis\n                     DHS response to recommendation 6\n\n                     DHS concurred with recommendation 6. DHS is now taking steps\n                     to ensure that\n                                                                    Upon completion of\n                     the verification effort, a scan of the network will be conducted to\n                     ensure compliance. DHS expects this effort to be completed by\n                     August 31, 2009.\n\n                     OIG analysis\n\n                     We agree that the steps that DHS is taking, and plans to take, begin\n                     to satisfy this recommendation. We consider this recommendation\n                     resolved and will remain open until DHS provides documentation\n                     to support that all planned corrective actions are completed.\n\n                     DHS response to recommendation 7\n\n                     DHS concurred with recommendation 7. DHS will change the\n                     configuration of all OneNet    to comply with the DHS\n                     MD4300A policy\n\n\n\n\n                                               will be completed by August 31, 2009.\n                     Physical security of the OneNet primary and backup NOC\n                     facilities includes strict access control and personnel security\n                     procedures, and security monitoring 24 hours a day, seven days a\n                     week.\n                                   in accordance with the DHS system security policy.\n\n                     OIG analysis\n\n                     We agree that the steps that DHS is taking, and plans to take, begin\n                     to satisfy this recommendation. We consider this recommendation\n                     resolved and will remain open until DHS provides documentation\n                     to support that all planned corrective actions are completed.\n\n                     DHS response to recommendation 8\n\n                     DHS did not concur with recommendation 8. DHS noted that\n                                                          Scans are performed\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 22\n\x0c                     regularly to discover devices running unnecessary or unauthorized\n                     services, in addition to continuous network Intrusion Detection\n                     Systems monitoring in real-time.\n\n                     OIG analysis\n\n                     We maintain that                 were not configured based on\n                     DHS security guidelines                            were not\n                     disabled. While DHS prohibits the use of         during our\n                     vulnerability assessments we identified seven instances where the\n                     service was enabled on selected          Our results revealed that\n                                              were not fully configured based on DHS\n                     configuration guidelines. DHS must strengthen its controls to\n                     ensure                      are disabled on                     .\n                     We consider this recommendation unresolved and will require\n                     additional discussion between our offices before disposition.\n\n                     DHS response to recommendation 9\n\n                     DHS did not concur with recommendation 9. DHS noted that as of\n                     December 31, 2008, the department had achieved full operating\n                     capability of the backup NOC/SOC facility. According to DHS,\n                     the backup NOC/SOC staff is sufficient to cover core critical\n                     NOC/SOC services. OneNet has fully redundant NOC/SOC server\n                     facilities with full live data replication in real-time, as well as live\n                     24 hours a day, seven days a week NOC/SOC staff currently\n                     integrated in real time operations. Per DHS, OneNet and the\n                     backup NOC/SOC in                performed a successful Continuity of\n                     Operations failover test in January 2009 that included restoration\n                     and failover of all critical NOC/SOC applications from the backup\n                     NOC/SOC. The backup NOC/SOC can be\n\n\n                     OIG analysis\n\n                     We maintain that due to                         the secondary\n                     NOC/SOC\n\n                     in the event of an extended emergency. A backup facility should\n                     provide the capabilities of replicating and restoring critical\n                     applications and functions in order to resume operations in the\n                     event of emergency. While the backup NOC/SOC is staffed to\n                     monitor the network for potential outages,\n\n\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 23\n\x0c                                                          Furthermore, due to the\n                     sensitive nature of NOC/SOC operations, these functions cannot be\n                     performed in an unprotected office environment or staffs\xe2\x80\x99\n                     residences. We consider this recommendation unresolved and will\n                     require additional discussion between our offices before\n                     disposition.\n\n\n\n\nImproved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                         Page 24\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\n                       The objective of our review was to determine whether DHS is\n                       implementing OneNet effectively, including related security\n                       controls, and whether projected savings and targeted milestones\n                       have been achieved. Specifically, we determined whether: (1)\n                       DHS has achieved its program management goals, including\n                       targeted milestones and projected cost savings for OneNet; (2)\n                       effective security controls have been implemented on OneNet to\n                       protect the information stored and processed by the network; (3)\n                       adequate network and security monitoring are performed for\n                       OneNet; and (4) FISMA requirements were met.\n\n                       We interviewed selected personnel at DHS HQ and component\n                       facilities in the Washington, D.C. area; primary NOC/SOC\n                       personnel in                     ; and backup NOC/SOC personnel in\n                                      . In addition, we reviewed and evaluated DHS\xe2\x80\x99\n                       security policies and procedures, OneNet project plans and\n                       technical descriptions, the ITP charter, and other appropriate\n                       documentation. During the audit, we used software tools,\n                                                 , to detect, analyze, and evaluate the\n                       effectiveness of the security controls implemented on selected\n                       OneNet                                        We also performed\n                       external penetration testing using                 to validate the\n                       results of our internal vulnerability assessments. Upon completion\n                       of the assessments, we provided program officials with the\n                       technical reports detailing the specific vulnerabilities detected on\n                       OneNet network devices and the actions needed for remediation.\n\n                       We conducted this audit between January and April 2009 \n\n                       according to generally accepted government auditing standards. \n\n                       Those standards require that we plan and perform the audit to \n\n                       obtain sufficient, appropriate evidence to provide a reasonable \n\n                       basis for our findings and conclusions based on our audit \n\n                       objectives. We believe that the evidence obtained provides a \n\n                       reasonable basis for our findings and conclusions based on our \n\n                       audit objectives. Major OIG contributors to the audit are identified \n\n                       in Appendix D. \n\n\n                       The principal OIG points of contact for the evaluation are \n\n                       Frank Deffer, Assistant Inspector General, Office of Information \n\n                       Technology, at (202) 254-4041 and Edward G. Coleman, Director, \n\n                       Information Security Audit Division, at (202) 254-5444. \n\n\n\n\n    Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                             Page 25\n\x0cAppendix B\nManagement Comments\n\n\n\n\n   Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                            Page 26\n\x0cAppendix B\nManagement Comments\n\n\n\n\n   Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                            Page 27\n\x0cAppendix B\nManagement Comments\n\n\n\n\n   Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                            Page 28\n\x0cAppendix B\nManagement Comments\n\n\n\n\n   Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                            Page 29\n\x0cAppendix B\nManagement Comments\n\n\n\n\n   Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                            Page 30\n\x0cAppendix B\nManagement Comments\n\n\n\n\n   Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                            Page 31\n\x0cAppendix B\nManagement Comments\n\n\n\n\n   Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                            Page 32\n\x0cAppendix B\nManagement Comments\n\n\n\n\n   Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                            Page 33\n\x0cAppendix B\nManagement Comments\n\n\n\n\n   Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                            Page 34\n\x0cAppendix C\nComponents\xe2\x80\x99 OneNet Implementation Status\n\n\n\n\n    Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                             Page 35\n\x0cAppendix D\nMajor Contributors to this Report\n\n\n                       Information Security Audit Division\n\n                       Edward Coleman, Director\n                       Chiu-Tong Tsang, Audit Manager\n                       Mike Horton, IT Officer\n                       Barbara Bartuska, Audit Manager\n                       Maria Rodriguez, Team Lead\n                       Aaron Zappone, Program Analyst\n                       Nazia Khan, IT Specialist\n\n                       Domingo Alvarez, Referencer\n\n\n\n\n    Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                             Page 36\n\x0cAppendix E\nReport Distribution\n\n\n                       Department of Homeland Security\n\n                       Secretary\n                       Deputy Secretary\n                       Chief of Staff for Operations\n                       Chief of Staff for Policy\n                       Acting General Counsel\n                       Executive Secretary\n                       Assistant Secretary for Policy\n                       Assistant Secretary for Office of Public Affairs\n                       Assistant Secretary for Office of Legislative Affairs\n                       Chief Information Officer\n                       Deputy Chief Information Officer\n                       Chief Information Security Officer\n                       Director, Compliance and Oversight\n                       Director, GAO/OIG Liaison Office\n                       CIO Audit Liaison\n                       Chief Information Security Officer Audit Manager\n\n                       Office of Management and Budget\n\n                       Chief, Homeland Security Branch\n                       DHS OIG Budget Examiner\n\n                       Congress\n\n                       Congressional Oversight and Appropriations Committees, as\n                       appropriate\n\n\n\n\n    Improved Management and Stronger Leadership Are Essential to Complete the OneNet Implementation\n\n                                             Page 37\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"